Overall, these results illustrate that in 2019, hackers are doubling down on well-known tactics like credential theft and ransomware by utilising fake Office documents and other attack avenues that require organisations to deploy advanced defences to combat a wider variety of threat vectors.

“Whether it be DNS-level filtering to block connections to malicious websites and phishing attempts, intrusion prevention services to ward off web application attacks or multi-factor authentication to prevent attacks leveraging compromised credentials – it’s clear that modern cybercriminals are leveraging a host of diverse attack methods and the best way for organisations to protect themselves is with a unified security platform that offers a comprehensive range of security services.”

WatchGuard’s Internet Security Report is designed to provide the threat intelligence, research and security best practices organisations need to defend against online adversaries and better protect their data.

Key findings from the Q1 2019 report include:

Attackers continue to favour malicious Office documents – In Q1 2019, more than 17% of Fireboxes blocked malicious Office documents, with two threats in this category making it into WatchGuard’s most widespread malware list, and one in the top 10 malware attacks by volume. Over half of these malicious documents were blocked in EMEA, largely in Eastern European countries. Users should avoid interacting with unsolicited Office documents and consider any attachments that seek to enable macros as a threat.

Mac OS malware on the rise – Mac malware first appeared on WatchGuard’s top 10 malware list in Q3 2018, and now two variants have become prevalent enough to make the list in Q1 2019. This increase in Mac-based malware further debunks the myth that Macs are immune to viruses and malware, and reinforces the importance of advanced threat protection for all devices and systems.

Web application exploits soar – Despite a decrease in the overall volume of network attacks in Q1, web application attacks grew significantly. WatchGuard’s IPS service caught attackers exploiting many cross-site scripting (XSS) and SQL injection (SQLi) vulnerabilities – both popular methods for credential theft. Two SQIi attacks made it onto WatchGuard’s top 10 network attacks list, while one web XSS attack accounted for more than 10% of network attacks on the top 10 list overall.

DNS filtering blocks more than 5 million malicious sites – WatchGuard’s DNSWatch service successfully prevented 5,192,883 attempted visits to nefarious destinations, blocking over half a million connections to known malware-hosting domains, 187,101 connections to compromised websites and 61,096 connections to known phishing sites. Compromised websites can be difficult to identify and block, so DNS-level filtering is critical to prevent users from unknowingly falling victim to malware infections, credential theft or botnet command and control systems.

Fileless malware stakes its claim – Fileless threats appeared in both WatchGuard’s top 10 malware and top 10 network attack lists. On the malware side, a PowerShell-based code injection attack showed up in the top 10 list for the first time in Q1, while the popular fileless backdoor tool, Meterpreter, made its first appearance in the top 10 list of network attacks too. This trend further demonstrates cybercriminals’ continued focus on utilising this evasive threat category.

Mimikatz malware skyrockets by 73%, remains the #1 threat – Accounting for 20.6% of all malware found in Q1, this popular open source tool is often used for password theft, and represents a major driver behind many network infiltrations. Mimikatz is a mainstay on WatchGuard’s top 10 malware list, which highlights the importance of using lengthy, complex passwords unique to each individual account. Furthermore, with cybercriminals’ persistent focus on credential theft, organisations of all sizes should consider adopting multi-factor authentication solutions in order to prevent bad actors from compromising legitimate user accounts.

WatchGuard’s Internet Security Report is based on anonymised Firebox Feed data from a subset of active WatchGuard UTM appliances whose owners have opted in to data-sharing to support the Threat Lab’s research efforts.

Today, 42,372 appliances throughout the world contribute to the Internet Security Report data pool.

In total, those appliances blocked more than 23,884,979 malware variants, at a rate of 564 samples blocked per device.

The complete report explores the most impactful malware and attack trends from Q1 2019, a detailed analysis of the historic “51% attack” against the cryptocurrency Ethereum Classic (ETC) that resulted in $1.1 million in losses, and cyber security advice readers can use to better protect themselves and their organisations.